Vbs.OnTheFly

I woke up today to find about three zillion copies of the Vbs.OnTheFly virus in my inbox. I can't believe people are still stupid enough to run attachments with ".vbs" extensions. Anyway, I set about decrypting the virus and figuring out what it does, so here are my results.

Basically, it's a very simple virus. The second line is an "Execute" line that actually contains the virus itself. The rest of the script is the function used to decrypt the code before running it.

When you look at the decrypted code, you'll notice that it does four things:

A little about the encoding algorithm. It is basically a caesar shift cipher where the ANSI character set is the alphabet being encoded. It uses a caesar shift of 2, shifting the ANSI character set and using that in a nearly direct substitution. The only special cases are chars 10(space, _), 13(return, \r), and 32(newline, \n). Transforming them into chars 15, 16, and 17 respectively. It adds another little twist by decoding 2 characters at a time and reversing their order. It is an extremely simple algorithm, but there is no reason to use a complicated one when it is just used to obfuscate something and the decoder is sitting right next to the output.

I would also like to note that it appears the script ends up in an infinite loop checking if the file it began execution from exists. If it doesn't it recreates the file. I'm not sure how bad this loop will affect performance, but I know one person whose system became unusable. So it isn't completely without payload.

I just couldn't leave this node alone. I was nearly complete with my own analysis of the script when I was directed to wonko's excellent one above. I guess I can't complain about being beat to the punch by a guy that used to do this for a living.